OpenOffice Targeted Data Exposure Using Crafted OLE Objects

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

Apache OpenOffice 4.1.0 and older on Windows.

OpenOffice.org versions are also affected.

Description:

The exposure exploits the way OLE previews are generated to embed arbitrary
file data into a specially crafted document when it is opened. Data exposure is
possible if the updated document is distributed to other parties.

Mitigation

Apache OpenOffice users are advised to upgrade to Apache OpenOffice 4.1.1.
Users who are unable to upgrade immediately should be cautious when they are asked to "Update Links" for untrusted documents.

Credits

The Apache OpenOffice security team credits Open-Xchange for reporting this flaw.

Apache and the Apache feather logo are trademarks of The Apache Software Foundation.
OpenOffice, OpenOffice.org and the seagull logo are registered trademarks of The Apache Software Foundation.
Other names appearing on the site may be trademarks of their respective owners.